How tax agencies can fight back against insider threats [Commentary]

There is an old episode of "The Simpsons" where Lisa wins the family a trip to Washington, D.C. to take part in a national speechwriting competition. On their way from the airport to the hotel the family's cab stops at a red light with Marge pointing out to Homer the headquarters of the Internal Revenue Service (IRS). "Booooooo!" Homer yells out the car's window, expressing his displeasure with the tax agency.

Needless to say, the IRS is never going to earn the title of most popular agency with U.S. citizens. As the nation's lead tax collector, the agency has the difficult job of processing the tax returns, payments and collections of tax-filing businesses and individuals across the country. While this leads to pop culture jokes like the one referenced above, it is a very important role as those funds go to pay for government services like defense, education and healthcare.

Those funds, as we know, are under constant attack from fraudsters looking to penetrate the system. But these attacks aren't always coming from the outside … insider threats are becoming more commonplace.

The Insider Threat for Tax Agencies

According to a survey from the CERT Division of the Carnegie Mellon Software Engineering Institute (SEI), 47 percent of respondents reported an insider incident has been committed against their organization. They also said 27 percent of all cyberattacks come from insiders.

While these numbers look at the private sector, they surely translate to the government environment as well. Government agencies are incredibly prone to insider threats, especially employees that may have become unhappy with political changes or are approached with a lucrative opportunity from an outside source. This is especially true at tax agencies that have access to large amounts of financial and personal information – information that can generate significant financial and personal gain.

What Should Tax Agencies Do?

First and foremost, leaders at tax agencies must familiarize themselves with the insider threat industry, including considering the most modern insider threat detection solutions. For instance, advanced analytics that can reveal threats automatically.

Sign up for our Daily BriefGet the top Cyber headlines in your inbox every weekday morning.

Advanced analytics provide agencies with visibility into their networks that they did not have before. This enables administrators to have a better understanding of how, and where, data is being used, allowing them to establish baselines that can lead to easily identifying suspicious behavior. Analytics can work without human intervention as well, constantly monitoring networks for suspicious activity and then automatically sending alerts. This type of insight can allow administrators to learn about potential issues and pick up on patterns that human analysts miss.

Advanced analytics systems can use data already available to identify:

File downloads which are excessive for the employees peer group.

Atypical privileged account access (e.g. VIP taxpayers).

Abnormal viewing/modification of taxpayer accounts.

Excessive web activity.

Sentiments (i.e. feelings) expressed in work email that are highly correlated with insider threat.

Unusual time-of-day access.

Employees connections and sphere of influence in the organization.

Advanced analytics, more than anything, can identify out-of-the-norm behavior. Most employees are hired to fill certain tasks, so their work tends to follow certain patterns. When those patterns are disrupted, that's when the analytics engine can raise a red flag. Sometimes those activities might be nothing more than a mistake by an employee, but other times they can signal nefarious behavior.

Its Not Always Malicious

Fighting insider threats has been one of the government's top priorities, but also one of the most difficult to achieve. To succeed, the government needs to have both a trust that employees are doing the work they were hired to do with the best intent, but also enough caution to monitor their work.

That is, of course, for insider threats that are intentionally malicious. There is another category of insider threats made up of employees that mean well, but do not follow information security best practices. These types of employees are not trying to put information at risk, but end up doing so. Advanced analytics can track the behavior of all employees and how they use data, flagging potential risks and dangerous behavior.

Tax agencies already face a difficult job. They must collect trillions of dollars each year in taxes, process returns and watch for fraud, waste and abuse in the process. Insider threats make this difficult job that much harder. With a proper analytics program, though, federal technology leaders can minimize the impact of insider threats and keep data, and important financial information, safe at all times.

Deborah Pianko has 20 years of experience building technology solutions for tax and revenue agencies. As a systems engineer, Deborah helped build the systems used by many tax agencies, including D.C., Tennessee, Arizona, Maryland, Ohio, Nevada, Puerto Rico, Detroit, Australia and others.

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.